IT Asset Control & Disposal Policy Guide

January 2015

Often times, Cascade customers would like to develop an internal process or procedure for controlling and managing the disposal of IT assets. This is helpful in creating standards for the organization and for training staff in implementing this procedure.

Below is a generic framework for policy for IT asset control and disposal. This framework emphasizes the need to control data on IT equipment during use, internal transfer and disposal. It is important for an asset disposal policy to be tied to an IT asset usage policy because many of the issues faced in disposal should be considered and communicated to employees when they are given assets to use. A policy like this touches many aspects of an organization and should be developed and coordinated with a company’s Purchasing/Procurement, Information Technology, Environmental/Risk Management, and Facilities departments.

Note – this is a framework for a Policy and not a set of procedures that instruct your organization on how to meet policy requirements. It is recommended to create a policy first and then the procedures and processes will derive from this policy.

Cascade also produced a tool titled “IT Asset Retirement Project Development Considerations,” which helps organization identify their asset management and retirement needs and to develop an entire program around these needs. Please contact us if you need a copy of this document.

You can also search the web with the keywords “Asset Disposal Procedure” to find a large number of published disposal guides, typically written for government and educational institutions.

Other resources available for use:

  • NIST Special Publication 800-88, Revision 1: “Guidelines for Media Sanitization”() – this is the definitive guide for determining the organization’s tolerance for risk and establishing appropriate methods and systems to sanitize data on all manner of storage devices.
  • HIPAA Security Rule Guidance Materials()–The US Department of Health and Human Services compiled a number of resource materials to help establish security standards and procedures that are not only helpful for the healthcare industry, but for anyone handling confidential information.
  • PCI – DSS Sample Policy Template ()– this resource provides a good overview of the elements of an organizational Policy that meets the payment card industry standard.

Be sure to speak with a representative from Cascade Asset Management if you would like further assistance. We provide training, tools, and examples of best practices from others in the industry to help you get started and further improve your programs.

Sample IT Asset Control and Disposal Policy

- Thanks to “Computer Technology Documentation Project” for major contributions to this template

1.0 Overview
All employees and personnel that have access to organizational computer systems must adhere to the IT asset control policy defined below in order to protect the security of the network, protect data integrity, and protect and control computer systems and organizational assets. The asset control policy will not only enable organizational assets to be tracked concerning their location and who is using them but it will also protect any data being stored on those assets. This asset policy also covers disposal of assets.

IT assets should not be confused with nor tracked with other organizational assets such as furniture. One of the main reasons to track IT assets other than for property control and tracking is for computer security reasons. A special IT asset tracking policy will enable the organization to take measures to protect data and networking resources.

This policy will define what must be done when a piece of property is moved from one building to another or one location to another. This policy will provide for an asset tracking database to be updated so the location of all computer equipment is known. This policy will help network administrators protect the network since they will know what user and computer is at what station in the case of a worm infecting the network. This policy also covers the possibility that data on a computer being moved between secure facilities may be sensitive and must be encrypted during the move.

2.0 Purpose & Responsibility
This policy is designed to protect the organizational resources on the network by establishing a policy and procedure for asset control. These policies will help prevent the loss of data or organizational assets and will reduce risk of losing data due to poor planning.

The Security Officer [insert role] is ultimately responsible for the development, implementation and enforcement of this policy.

3.0 Assets Tracked
This section defines what IT assets should be tracked and to what extent they should be tracked.

3.1 IT Asset Types
This section categorized the types of assets subject to tracking.

  1. Desktop workstations
  2. Laptop mobile computers
  3. Mobile phones and tablets
  4. Printers, Copiers, FAX machines, multifunction machines
  5. Handheld devices
  6. Scanners
  7. Servers
  8. Firewalls
  9. Routers
  10. Switches
  11. Memory devices

3.2 Assets Tracked
Assets which cost less than $100 shall not be tracked specifically including computer components such as video cards or sound cards. However, assets which store data regardless of cost shall be tracked. These assets include:

  1. Hard Drives
  2. Temporary storage drives
  3. Tapes with data stored on them including system backup data.
  4. Although not specifically tracked, other storage devices including CD ROM disks and floppy disks are covered by this policy for disposal and secure storage purposes.

3.3 Small Memory Devices
Small memory storage assets will not be tracked by location but by trustee. These assets include:

  1. Floppy disks
  2. CD ROM disks
  3. Memory sticks

If these types of devices are permitted for some employees, the trustee of the device must sign for receipt of these devices in their possession. All employees must also agree to handle memory sticks, floppy disks, and CD ROM disks in a responsible manner and follow these guidelines:

  1. Never place sensitive data on them without authorization. If sensitive data is placed on them, special permission must be obtained and the memory device must be kept in a secure area.
  2. Never use these devices to bring executable programs from outside the network without authorization and without first scanning the program with an approved and updated anti-virus and malware scanner. Any program brought into the network should be on the IT department list of approved programs.

The Memory Device Trustee agreement allows employees to sign for receipt of these devices and agree to handle these devices in accordance with the terms of this policy. This form must be submitted by all employees that will work with any organizational data when the employee begins working for the organization. It will also be submitted when employee receives one or more memory sticks, temporary storage drives, or data backup drives.

4.0 Asset Tracking Requirements

  1. All assets must have an ID number. Either an internal tracking number will be assigned when the asset is acquired or the use of Manufacturer ID numbers must be specified in this policy.
  2. An asset tracking database shall be created to track assets. It will include all information on the Asset Transfer Checklist table and the date of the asset change.
  3. When an asset is acquired, an ID will be assigned for the asset and its information shall be entered in the asset tracking database.

5.0 Transfer Procedure:

  1. Asset Transfer Checklist - When an asset type listed on the Asset Types list is transferred to a new location or trustee, the IT Asset Transfer Checklist must be filled out by the trustee of the item and approved by an authorized representative of the organization. The trustee is the person whose care the item is in. If the item is a workstation, then the trustee is the most common user of the workstation. For other equipment, the trustee is the primary person responsible for maintenance or supervision of the equipment.

The trustee must fill out the Asset Transfer Checklist form and indicate whether the asset is a new asset, moving to a new location, being transferred to a new trustee, or being disposed of. The following information must be filled in:

  1. Asset Type
  2. ID number
  3. Asset Name
  4. Current Location
  5. Designated Trustee
  6. New Location
  7. New Trustee
  8. Locations of Sensitive Data

Once the trustee fills out and signs the Asset Transfer Checklist form an authorized representative must sign it.

  1. Data entry - After the Asset Transfer Checklist is completed, it will be given to the asset tracking database manager. The asset tracking database manager will ensure that the information from the forms is entered into the asset tracking database within one week.
  1. Checking the database - Managers who manage projects that affected equipment location should check periodically to see if the assets that recently were moved were added to the database. The database should provide a recent move list which can be easily checked. Managers should check the database weekly to be sure assets moved within the last 2 or 3 weeks are included in the database.

6.0 Asset Transfers
This policy applies to any asset transfers including the following:

  1. Asset purchase
  2. Asset relocation
  3. Change of asset trustee including when an employee leaves or is replaced.
  4. Asset disposal, including:
  • Asset returned to manufacturer or reseller due to warranty return
  • Leased asset returned to Lessor

In all these cases the asset transfer checklist must be completed.

7.0 Media Sanitization

When transferring assets to another trustee, any confidential information on the device must be protected and/or destroyed. The method of data destruction is dependent on the sensitivity of the data on the device and the next user of the device (within the organization and its controls or outside the organization).

[refer to NIST Special Publication 800-88 Revision 1 for its Guidelines for Media Sanitization to select methods appropriate to your organization’s tolerance for risk.

8.0 Asset Disposal
Asset disposal is a special case since the asset must have any sensitive data removed during or prior to disposal. The manager of the user of the asset must determine what the level of maximum sensitivity of data stored on the device is. Below is listed the action for the device based on data sensitivity according to the data assessment process.

  1. None (Unclassified) - No requirement to erase data but in the interest of prudence normally erase the data using any means such as sanitization, physical destruction or degaussing.
  2. Low (Sensitive) - Erase the data using any means such as electronic sanitization, physical destruction or degaussing.
  3. Medium (Confidential) - The data must be erased using an approved technology to make sure it is not readable using special hi technology techniques.
  4. High (Secret) - The data must be erased using an approved technology to make sure it is not readable using special hi technology techniques. Approved technologies are to specified in a Media Data Removal Procedure document by asset type including:
  5. Floppy disk
  6. Memory stick
  7. CD ROM disk
  8. Storage tape
  9. Hard drive.
  10. RAM memory
  11. ROM memory or ROM memory devices.

9.0 Media Use
This policy defines the types of data that may be stored on removable media and whether that media may be removed from a physically secure facility and under what conditions it would be permitted. Removable media includes:

  1. Floppy disk
  2. Memory stick
  3. CD ROM disk
  4. Storage tape

Below is listed the policy for the device based on the rated data sensitivity of data stored on the device according to the data assessment process.

  1. Unclassified - Data may be removed with approval of the first level manager and the permission is perpetual for the employee duration of employment unless revoked. The device may be sent to other offices using any public or private mail carrier.
  2. Sensitive - Data may only be removed from secure areas with the permission of a director level or higher level of management and approvals are good for one time only.
  3. Confidential - The data may only be removed from secure areas with permission of a Vice -president or higher level of management. There must be some security precautions documented for both the transport method and at the destination.
  4. Secret - - The data may only be removed from secure areas with the permission of the President or higher level of management. There must be some security precautions documented for both the transport method and at the destination.
  5. Top secret - The data may never be removed from secure areas.

10.0 Enforcement
Since data security and integrity along with resource protection is critical to the operation of the organization, employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

11.0 Employee Training and Acknowledgment of policy

Each employee in the organization is expected to be aware of current policies and procedures related to IT Security and shall be trained on these policies and procedures on at least an annual basis. Employees are required to sign an acknowledgment that they are aware of the policy and will meet its requirements.

Page 1 of 126701 Manufacturers Drive * Madison, WI53716

Ph: 608.222.4800 * Toll free: 888.222.8399 * Fax: 608.222.6208

*


Controlled Document / Information Destruction Instruction Manual (IDIM) / Rev.2
REF52 / Owner:
Core Team / Revision Date:
02/11/2016

Cascade Asset Management

Information Destruction Instruction Manual

1.0Introduction and Overview

1.1 Cascade’s Security Policy:

Through our people, processes, and technology, Cascade Asset Management is committed to ensuring the physical security and confidentiality of data for our customers and ourselves. As such, Cascade will:

  • Follow all applicable laws regarding data security and privacy protection;
  • Design, implement, and enforce security measures which meet industry best practices and any agreed upon requirements of our customers;
  • Regularly assess, document, and mitigate risks to our customers and Cascade; and,
  • Advance our culture of security among our staff, partners, customers, and vendors.

This document implements the official Security Policy of the Organization and is intended to provide direction to all employees regarding acceptable methods for destroying discarded information in order to protect the Organization, its clients, and employees.

Compliance with the policy and with the requirements herein when discarding or destroying information owned or maintained by Cascadeis considered a condition of employment.

Failure to adhere to the requirements within this Information Destruction Instruction Manual could result in disciplinary action, dismissal, civil proceedings, regulatory penalties, and/or legal prosecution.

1.2 Policy Development, Implementation, and Oversight

1.2.1 Policy Development

The Core Team is responsible for the development and amendments to the organization’s Security Policy. The policy shall be reviewed annually, or at anytime that there is substantive change in regulatory requirements, or under any circumstance that may otherwise provide cause for such a review. Cascade’s Security Policy can be found on Cascade’s external website.

1.2.2 Policy Approval

The Core Team is responsible for the final approval of the Security Policy or any modifications made to it.

1.2.3 Orientation & Training

The Director of Operations, serving as the Security Compliance Officer, is responsible for implementation and documentation of the orientation of employees to the Security Policy. This training may involve the participation of outside contractors hired to provide information management or destruction services.

1.2.4 Contracting/Purchasing

The CEO is responsible for the contracting of any third party to provide information destruction services not performed internally by Cascade.

1.2.5 Compliance Auditing/Review

The Director of Operations is responsible for auditing employee compliance with the Security Policy on an annual basis, as well as documenting and retaining a record of violations of the policy.

1.3 Employee Orientation/Training

1.3.1 Orientation/Training

Upon hiring, and whenever updated, all employees shall 1) be properly oriented on the Cascade’s security procedures, 2) be given access to a copy of the Self-Audit Packet’s security program documentation (available on Alfresco) and the Information Destruction Instruction Manual (IDIM) and 3) execute the appropriate acknowledgement prior to handling ANY information.

1.3.2 Acknowledgement

Upon completion of initial and recurring orientation, employees shall sign the Information Destruction Program Awareness Acknowledgement verifying their understanding of, and their agreement to comply with, the requisite policies and procedures contained in the IDIM.

1.4 Security Policy –Information Access and Incidents

Employees should direct all questions regarding compliance with the Security Policy to his or her supervisor or the Director of Operations.

During the course of employment at Cascade, staff may have access to customer data, including Protected Health Information (PHI). Any customer data, whether written, photographic, or electronic, must be maintained in a manner that ensures its privacy and security.

Employees who are authorized by Cascade to access device storage areas which may contain customer data have a responsibility to limit uses and disclosures to those that are allowed by permission, by authorization, and/or by law. The access must be appropriate to the employee’s job responsibilities and solely with intention to destroy data or demonstrate efficacy of destruction methods.

Under no circumstances may employees disclose, save, or archive (e.g.,photograph) any customer information. A breach is a violation of Cascade policies and/or state or federal regulatory requirements resulting in the unauthorized or inappropriate use, disclosure, or access of customer data.